Blake Ramsdell wrote:
I believe that at least one vendor (Netscape) deals with this by
creating a SignedData message with no content, and a single SignerInfo.
I don't know if this was the right thing or not, so further comments are
welcome.
I don't know if Jeff, Jamie, or whoever is still on the list and can
comment about this.
I'm still lurking, and Lisa will be back in 2 weeks!!
You correctly describe what we do. I don't think it has been very
widely used though. It would be nice to have a standard way of
publishing the capabilities. One thing that has caused problems is
that there is already a directory attribute for holding the user's
certificate, but it is defined as a raw x509 cert. We put our
SignedData in a different attribute, and use it if present. If not,
we use the standard one (without the recipient's capabilities). The
presence of two certs in the directory entry, one put there by
the user and the other by the CA, which can get out of sync, has
caused confusion.
--Jeff